It was possible that free()d memory could be read during parsing in the unusual circumstance of the Perl program ending with a heredoc and the last line of the file on disk having no terminating newline character.
This has now been fixed.

A performance regression introduced in Perl 5.11.2 in non-Unicode case-insensitive pattern matching has been largely resolved.
In particular,
the disabled optimization is now restored for every ASCII-range character.
[perl #107816]

Carp now handles objects with string overloads.
It also allows objects to specify how they appear in the stack dump with a CARP_TRACE method,
and also allows the user to specify their own formatter for objects without CARP_TRACE as well as other references.
[perl #92446]

SvREFCNT_inc and SvREFCNT_dec have been removed and SvREFCNT will now work on non-scalars.
[perl #117793]

Dump now checks its arguments at compile time.
Both arguments are now evaluated in scalar context,
with exceptions for @arrays and %hashes,
allowing aggregates to be dumped directly.
The first argument is evaluated in rvalue scalar context,
allowing rvalue pos and substr to be dumped.

fill_mstats no longer crashes if its argument is not already a string.
[perl #92260]

The dist target now reports the file created,
an infinite loop in clean_subdirs has been fixed,
an invisible interactive question is now avoided when rebuilding Makefile,
issues with /cygdrive on Cygwin have been resolved,
LD and OPTIMIZE are now used in recursive Makefile.PL invocations,
VERSION and VERSION_FROM now handle v-strings correctly,
and control characters are now stripped from ABSTRACT.

The open tutorial has been completely rewritten by Tom Christiansen,
and now focuses on covering only the basics,
rather than providing a comprehensive reference to all things openable.
This rewrite came as the result of a vigorous discussion on perl5-porters kicked off by a set of improvements written by Alexander Hartmaier to the existing perlopentut.
A "more than you ever wanted to know about open" document may follow in subsequent versions of perl.

(F) You assigned a magical array to a stash element,
and then tried to use the subroutine from the same slot.
You are asking Perl to do something it cannot do,
details subject to change between Perl versions.

Autovivifying a subroutine stub via \&$glob started causing crashes in Perl 5.18.0 if the $glob was merely a copy of a real glob,
i.e.,
a scalar that had had a glob assigned to it.
This has been fixed.
[perl #119051]

On 64-bit platforms pos can now be set to a value higher than 2**31-1.
[perl #72766]

Perl used to leak an implementation detail when it came to referencing the return values of certain operators.
for ($a+$b) { warn \$_; warn \$_ } used to display two different memory addresses,
because the \ operator was copying the variable.
Under threaded builds,
it would also happen for constants (for(1) { ...
}).
This has been fixed.
[perl #21979,
#78194,
#89188,
#109746,
#114838,
#115388]

The range operator .. was returning the same modifiable scalars with each call,
unless it was the only thing in a foreach loop header.
This meant that changes to values within the list returned would be visible the next time the operator was executed.
[perl #3105]

Closures of the form sub () { $some_variable } are no longer inlined,
causing changes to the variable to be ignored by callers of the subroutine.
[perl #79908]

Return values of certain operators such as ref would sometimes be shared between recursive calls to the same subroutine,
causing the inner call to modify the value returned by ref in the outer call.
This has been fixed.

__PACKAGE__ and constants returning a package name or hash key are now consistently read-only.
In various previous Perl releases,
they have become mutable under certain circumstances.

/$qr/p was broken in Perl 5.18.0; the /p flag was ignored.
This has been fixed.
[perl #118213]

Starting in Perl 5.18.0,
a construct like /[#](?{})/x would have its # incorrectly interpreted as a comment.
The code block would be skipped,
unparsed.
This has been corrected.

Starting in Perl 5.001,
a regular expression like /[#$a]/x or /[#]$a/x would have its # incorrectly interpreted as a comment,
so the variable would not interpolate.
This has been corrected.
[perl #45667]

On non-threaded builds,
setting ${"_<filename"} to a reference or typeglob no longer causes __FILE__ and some error messages to produce a corrupt string,
and no longer prevents #line directives in string evals from providing the source lines to the debugger.
Threaded builds were unaffected.

The first statement inside a string eval used to use the wrong pragma setting sometimes during constant folding.
eval 'uc chr 0xe0' would randomly choose between Unicode,
byte,
and locale semantics.
This has been fixed.

The handling of return values of @INC filters (subroutines returned by subroutines in @INC) has been fixed in various ways.
Previously tied variables were mishandled,
and setting $_ to a reference or typeglob could result in crashes.

The SvPVbyte XS function has been fixed to work with tied scalars returning something other than a string.
It used to return utf8 in those cases where SvPV would.

bless no longer dies with "Can't bless non-reference value" if its first argument is a tied reference.

reset with an argument no longer skips copy-on-write scalars,
regular expressions,
typeglob copies,
and vstrings.
Also,
when encountering those or read-only values,
it no longer skips any array or hash with the same name.

ucfirst and lcfirst were not respecting the bytes pragma.
This was a regression from Perl 5.12.
[perl #117355]

The use of \G in regular expressions,
where it's not at the start of the pattern,
is now slightly less buggy (although it is still somewhat problematic).

Where a regular expression included code blocks (/(?{...})/),
and where the use of constant overloading triggered a re-compilation of the code block,
the second compilation didn't see its outer lexical scope.
This was a regression in Perl 5.18.0.

Changes to UNIVERSAL::DESTROY now update DESTROY caches in all classes,
instead of causing classes that have already had objects destroyed to continue using the old sub.
This was a regression in Perl 5.18.
[perl #114864]

All known false-positive occurrences of the deprecation warning "Useless use of '\'; doesn't escape metacharacter '%c'",
added in Perl 5.18.0,
have been removed.
[perl #119101]

The list above is almost certainly incomplete as it is automatically generated from version control history.
In particular,
it does not include the names of the (very much appreciated) contributors who reported issues to the Perl bug tracker.

Many of the changes included in this version originated in the CPAN modules included in Perl's core.
We're grateful to the entire CPAN community for helping Perl to flourish.

For a more complete list of all of Perl's historical contributors,
please see the AUTHORS file in the Perl source distribution.

If you find what you think is a bug,
you might check the articles recently posted to the comp.lang.perl.misc newsgroup and the perl bug database at http://rt.perl.org/perlbug/ .
There may also be information at http://www.perl.org/ ,
the Perl Home Page.

If you believe you have an unreported bug,
please run the perlbug program included with your release.
Be sure to trim your bug down to a tiny but sufficient test case.
Your bug report,
along with the output of perl -V,
will be sent off to perlbug@perl.org to be analysed by the Perl porting team.

If the bug you are reporting has security implications,
which make it inappropriate to send to a publicly archived mailing list,
then please send it to perl5-security-report@perl.org.
This points to a closed subscription unarchived mailing list,
which includes all the core committers,
who will be able to help assess the impact of issues,
figure out a resolution,
and help co-ordinate the release of patches to mitigate or fix the problem across all platforms on which Perl is supported.
Please only use this address for security issues in the Perl core,
not for modules independently distributed on CPAN.